Tuesday, July 31, 2012

NEW YORK StateSenator urges biometric ID for Medicaid recipients(Buffalo News)

U.S. SUPREME COURT:Criminal DNA Collection Law Stays In Place(WRTV 6 - Indiana)
Contrary to the author's assertion, collecting DNA after arrest and before trial isn't controversial; it is evidence. Evidence can be used to exonerate as well as convict.
Now, what happens to the evidence following a not guilty verdict is another matter altogether.

The new system is dramatically reducing SASSA’s operating costs. Until now, it has cost SASSA between R26 ($3.25) and R35 ($4.38) per grant to pay beneficiaries. Under the new agreement, disbursement costs will be capped at R16.50 ($2.07) per payment, enabling the agency to save up to R3bn ($375m) in operating costs over the next five years. This means that the agency will be able to spend its budget allocation more effectively in the future, making a meaningful difference in the lives of more South Africans.“The early success of the project rollout affirms MasterCard’s vision to create a world beyond cash, as electronic payments using debit MasterCards opens up a world of financial inclusion for many South Africans who have previously not had access to banking products,” says Dries Zietsman, Country Manager, MasterCard South Africa.

“With over 2.5 million cards already issued since rollout in March 2012, it is clear that the cards are already being widely accepted by beneficiaries who are realising the benefits of a cashless environment,” he concludes.

That's because a hacking claim can generate a lot of media publicity even if it doesn't constitute proof that a technology is fatally flawed. Where's the publicity value of hacking something that nobody uses, anyway? Claims like this can also be taken as a sign that a new technology, iris biometrics in this case, has crossed some sort of adoption and awareness threshold.

So what about the hack? Now that more information is available and assuming that Wired has things about right, "experiment" is a far better descriptor than "hack" for what actually went down. "Hack" would seem to indicate that a system can be manipulated into behaving unexpectedly and with exploitable consequences in its real world conditions. Think of picking a lock. A doorknob with a key hole can be manipulated by tools that aren't the proper key to open a locked door in its normal operating environment.

The method that the researchers relied upon to develop the fake iris from the real template bears no resemblance to the lock-picking example. What
the researchers did is known as hill-climbing. In simple terms, it's like playing the children's game Cold-Warm-Hot but the feedback is more detailed. A hill-climbing experiment relies upon the system being experimented on giving detailed information back to the experimenter about how well the experimenter is doing. The experimenter presents a sample and the system gives a score (cold, warm, hot). The experimenter refines the sample and hopes the score will improve. Lather, rinse, repeat. A few hundred iterations later, the light turns green.

Technically, you don't even need to have a sample (template) to start hill climbing. You could just start feeding the system random characters until you hit upon a combination that fit the template's template(?).

This is one of those exercises that is academically interesting but doesn't provide much useful information to system engineers or organization managers. Scientific experiments deal with their subjects by isolating and manipulating one variable at a time. Real world security systems are deployed with careful consideration of the value of what is being protected and a dependence upon all sorts of environmental factors.

A person who wanted to bypass an iris scanner using this method in the real world would:

1. Hack into a biometric database to steal a template of an authorized user; pray templates aren't encrypted
2. Determine which biometric algorithm (which company's technology) generated the template
3. Buy (or steal) that company's software development kit
4. Build and successfully run the hill-climbing routine
5. Print the resulting image using a high quality printer
6. Go to the sensor
7. Place print-out in front of iris scanner
8. Cross fingers

Simple, right? Compared to what?

Once you're talking about hacking into unencrypted biometric template databases (and depending upon your CRUD privileges) almost anything is possible and little of it requires Xeroxing yourself a pair of contact lenses.

Why not just blow away the whole database of iris templates? Problem solved. The scanners, now just locks with no key, would have to be disabled at least temporarily.

If stealth is more your style, just hack into the database, create a credential for yourself by placing your very own iris template in there and dispense with the whole rigmarole of the hill-climbing business. Delete your template (and why not all the others) after the heist.

If your hacking skillz aren't up to the task, you could stalk someone who is already enrolled with a Nikon D4 and a wildlife photography lens and skip steps one thru four (and eight) on the above list.

You could trick, threaten or bribe someone into letting you in.

Break the door or a window.

The elaborateness of the process undertaken by the researchers pretty much proves that the iris sensor isn't going to be the weak link in any real world security deployment.

This state-of-the-art battlefield intelligence, reconnaissance and surveillance architecture will enable analysts from every service to take data from multiple military and government sensors and databases and compile them into a single, easy-to-access format, he explained.

DCGS-Army, already fielded in Afghanistan as it undergoes operational testing and evaluation, provides a glimpse into that intelligence enterprise.

“It brings together data from all the sensors,” Wells said, regardless of whether they’re based in space, on aircraft or on the ground -- even biometric data collected by a soldier at a local forward operating base -- and incorporates it into a single platform.

Apple Inc. has reportedly paid $350 million to acquire Melbourne, Fla.-based AuthenTec Inc., a maker of fingerprint authentication technology, Bloomberg reports.
...
The deal will help Apple improve its biometric features to improve security on future releases of the iPad and iPhone.

Josh Franklin at Seeking Alpha deserves a special prize. Hecalled it here on June 4 when AUTH shares were trading for about $4.60/s. Pre-open today is about $8.16. Since his article at the time disclosed his long position in AUTH, he's probably already counting his special prize as I type this.

Thursday, July 26, 2012

Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

"Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring.

The article covers a lot more ground than it is fair to copy and paste. It also begs important questions.

Given that ID management perfection isn't an option, what approximation of perfection is desirable?
What costs are worth bearing?

The Utica College Center for Identity Management and Information Protection is to be commended for their work.

GALLIPOLIS, Ohio -- The Governor's Office of Health Transformation and the Ohio Department of Alcohol and Drug Addiction Services will discuss a new pilot program designed to reduce the diversion and misuse of prescription medications at 10 a.m. Thursday at Holzer Health Systems.

The leaders therefore asked the CEMAC commission to accelerate the process of establishing emergency funds which will guarantee sustainable funding of REP.

In order to promote real integration within the CEMAC zone, the conference of heads of state decided to implement the principle of free movement of persons through the issuance of biometric passports for members of the six countries in the sub-region.

Regarding the establishment of the regional airline, Air CEMAC, the conference of heads of state encouraged speedy conclusion of negotiations with Air France which will be a technical partner for the project.

The ability to travel underpinned by rigorous ID management are two very important factors in economic development.

The Pinal County Sheriff’s Office announced it is expanding the use of mobile, multi-modal (iris, fingerprint and facial) biometric identification technology used by deputies.

Patrol deputies, detectives and SWAT members will be able to verify the identity, criminal background, and risk information of suspects with a hand held, wireless device on a Smartphone. Sworn deputies will have iris, fingerprint and facial recognition identification technology available to them virtually anywhere.

Pinal County has been an early adopter of biometrics and BI2 has obviously done a great job of supporting them.

ARRM is haunted by phantom students, wraith-teachers, “even ghost schools in ghost barangays,” says Jamar Kulayan, who was appointed January. A Tausug, Kulayan found it had become practice in the region for teachers to bloat student-enrollee numbers.

There are 2,000 teachers in excess of 20,000 officially hired. “Names of teachers already dead, retired, or abroad were still listed.” They and continue drawing their salaries. A “Task Force on Moratorium of Abolition and Creation of Schools” is now operational.

The new final Book of Voters is still ahead. But a consensus on making honest elections the centerpiece of ARMM reforms exists, notes Institute for Autonomy and Governance’s Fr. Eliseo Mercado, OMI… The new technology of biometrics will be used to ensure honest polls.

If this drill succeeds, it’d be a fitting legacy for P-Noy, new ARRM officials and NGOs working to purge lists. Exorcising banshees is a welcome change.

Unfortunately for Vega, Negron has a lengthy list of arrest warrants out of Essex District Court stemming from several felonious drug-related arrests in Lynn in 2008, according to police.

When he finally gave his real name, he allegedly admitted to police he was using Negron's identity so he could work while collecting disability benefits.

One ID (Vega) is an able-bodied non-felon.
Another ID (Negron) is a disabled felon.

Evidently (and unsurprisingly) the disability rolls and arrest warrants databases aren't linked and there is a way to exploit both ID's. The trick is using the compromised ID only with people in the handing-out-money business, and your real ID with those in the hauling-people-off-to-jail line.

Eventually biometrics helped police determine that Jose was telling the truth when he (Vega) confessed to being a fraudster rather than the wanted felon (Negron), so he's got that going for him.

The petitioners said the ministry should examine whether a central database was in fact needed and whether there were other options that could prevent data leaks or information theft.

Though the court rejected the petition as premature because the pilot has not yet run, Justices Miriam Naor, Hanan Melcer and Isaac Amit also accepted the petitioners’ arguments that the state must rework its planned pilot of the program to evaluate whether it is necessary to store the population’s biometric data in a single, centralized database.

The Interior Ministry has been planning for years to replace existing ID cards with ones containing biometric data, and in 2009, the Knesset approved the biometric data law that allowed the initiative to move forward.

The limitations and inconvenience involved in using alternative identification methods i.e. photographs, passwords and PIN codes have driven the growth of biometric technologiesin last few years. Again, increasing terrorist attacks, plane hijackings and crime rates have underlined the need for superior security measures around the world. On the other side, some border control projects like e-passport, VIS, EURODAC, etc. and some national identity scheme like Aadhar are acting as a major driver for the biometrics industry. As more and more people and organizations depend on computers to store their important documents, there is an increasing need for security. Biometrics has been adopted for such logical access control applications as the most secure technology till date.

According to"Global Biometric Systems Market Forecast &Opportunities, 2017", global biometrics market revenues are anticipated to reach USD 10.02 Billion by 2014. Increasing security requirements for public security i.e. border control, national identity etc., internet & network access and financial transactions are acting as growth driver for the industry. The market has been lead by fingerprint technology from the last few decades. However, the vein recognition technology is gaining acceptance globally which is expected to grow rapidly in years to come. Regionally, North America & Europe together contributed 62.46% of the total revenues of global biometrics market in 2011. The global biometrics market has a huge potential due to increasing public acceptance.

Fiji's Electronic Voter Registration (EVR) is now more than one-third of the way to reaching the Government's target of registering 600,000 Fijians. At the end of the third week of EVR, the total stands at 211,291.

"We are happy that momentum is continuing to grow for voter registration," the Attorney-General and Minister Responsible for Elections, Aiyaz Sayed-Khaiyum said. "EVR is now in full stride as we continue to open new registration centers across the country."

In order to reach the 600,000 mark, an average of 10,000 Fijians a day must register over the course of the 60-day registration period. As of Sunday, July 22, EVR has averaged slightly more than 10,550 a day, a figure that includes totals for the first week when only a limited number of registration centers were open.

The senator made some pointed criticisms to Facebook's manager of privacy and public policy Rob Sherman. Sen. Franken noted how difficult it is for users to opt out of having their faces recognized by Facebook supercomputers. The privacy settings, he argued, are buried deep in a lengthy and frustrating process. "Right now, you have to go through six different screens to get (to the privacy opt-out)," Sen. Franken complained. "I'm not sure that's 'easy to use'."

The growing use of facial recognition technology raises serious privacy and civil liberties concerns, said Senator Al Franken, a Minnesota Democrat and chairman of the Senate Judiciary Committee's privacy subcommittee. Franken, during a subcommittee hearing, called on the U.S. Federal Bureau of Investigation and Facebook to change the way they use facial recognition technology.

Biometric information, including facial features, is sensitive because it is unique and permanent, Franken said.

There are real privacy issues surrounding both government biometric surveillance and the transparency of private entities that use biometrics.

Dealing with the particulars of the hearing, though, it seems that if you're mad at Facebook, deal with Facebook and that those worried about the government's respect for the privacy of citizens would be best served arguing for limits to the government's snooping power, regardless of the technical method used.

Of the methods Facebook uses to extract personal information from users, facial recognition is perhaps the best known.

Of the myriad technologies government uses to track citizens, facial recognition is among the least significant.

That won't always be the case, so it's good to to build consensus on the proper use of a new technology in an open and informed way, but it shouldn't be hyped and used as a distraction from more pertinent privacy issues.

The iris — the colored part of the eye that eye-scanners analyze — changes as people age, making the scanners more likely to wrongly lock out people with every passing year, according to a new study.

The finding goes against the established, yet never-proven notion that eye scanners can accurately identify people throughout their lives, said Kevin Bowyer, a computer scientist at the University of Notre Dame who performed the study.

Read the whole thing. It's an article that gets at an interesting aspect of the algorithm end of the biometric ID management problem. It also has input from two of the speakers at the recent TechConnectWV event: Marios Savvides (Carnegie Mellon) and Bojan Cukic (W. Va. Univ.).

A good biometric modality must be: unique, durable, and easily measurable. If any of these are missing, widespread use for ID management isn't in the cards. If something is unique and durable but isn't easily measurable, it can still be useful but it isn't going to become ubiquitous in automated (or semi-automated) technology. Teeth and DNA fit this model. Teeth have been used to determine the identity of dead bodies with a high degree of certainty for a long time, but we aren't going to be biting any sensors to get into our computers any time soon — or ever. Likewise with DNA.

There is also the challenge of proving that a modality is in fact unique, durable and easily measurable which requires a whole lot of experimental data, and especially regarding uniqueness, a healthy dose of statistical analysis. I'm no statistician, and from what I understand, the statistical rules for proving biometric uniqueness aren't fully developed yet anyway, so let's just leave things in layman's terms and say that if you're wanting to invent a new biometric modality and someone asks you how big a data set of samples of the relevant body part you need, your best answer is "how much can you get me?"

In order to ascertain uniqueness you need samples from as manydifferent people as you can get. For durability you biometric samples for the same person taken over a period of time and multiplied by a lot of people.

Ease of measure is more experiential and will be discovered during the experimentation process. The scientists charged with collecting the samples from real people will quickly get a feel for the likelihood that people would adapt to a given ID protocol.

For two of the "big three" biometric modalities, face and fingerprint, huge data repositories have existed since well before there was any such thing as a biometric algorithm. Jails (among others) had been collecting this information for a hundred years and the nature of the jail business means you'll get several samples from the same subject often enough to test durability, too, over their criminal life. These data could be selected such that they were as good as they could be to assess both uniqueness and durability. For face, other records such as school year books exist and were readily available to researchers who sought to measure uniqueness and durability.

Which brings us to iris.

Where do you look to find a database of several million high-resolution images of human irises collected by professionals who took good notes? Well there's your problem.

The solution is to go about building such a data set yourself and several organizations have been doing just that. One can make considerable progress on in the question of uniqueness with a big push, collecting more data quickly. Assessing durability, however, takes time no matter how much money and effort can be applied. Some processes can be sped up with more resources; some can't (nine women can't make a baby in a month) and the real bummer with determining biometric durability is that you can't really know in advance how much time it's going to take to prove it to a satisfactory degree.

So it's not a surprise that the uniqueness of the human iris was determined before its durability, and it may come about that the iris is, like the face, "durable enough." We are all too aware that the face changes, but certain aspects of it don't change so much that facial recognition is pointless. The same may be true of the iris. It, too, may be durable enough.

It may also turn out to be the case that irises change in a predictable way and that those changes can be accounted for on the software side, so all this isn't to say that iris isn't among, or won't solidify its position among the "big three"; it's just had a harder road to get there.

Thursday, July 19, 2012

Here's a Storify transcript of this morning's Tweet Chat about biometrics (#biometricchat).

I offer many thanks to John at M2SYS for asking me to fill in for him and Mike Kirkpatrick for taking time out of his busy schedule to lend his experience to our understanding of the FBI's use of biometrics for law enforcement and civilian purposes.

Welcome to the SecurLinx Blog

Here we draw attention to items of interest in the biometrics and identity-management landscape.

SecurLinx offers patented solutions that store, process and share biometric template information specific to the challenges of law enforcement, gaming and the security industry.

We see ourselves as building the bridge between Biometric Service Providers (BSP's) that create new technology and the end users that have a problem in search of a solution and who could not care less about the technology itself.

Contributors

SecurLinx Links

If you have a concern about any posting or comment being factually incorrect, please contact us. Please provide detailsof who you are, how we can contact you, what your interest is, and what your concern is. If something has been writtenthat is factually incorrect, it will be addressed. Anonymous complaints will be ignored.